Title: An Easy Way to Win: Using SIGINT to Learn about New Viruses (Project Camberdada)

Release Date: 2015-06-22

Document Date: 2010-01-01

Description: This 2010 NSA presentation describes Project Camberdada, an attempt to subvert popular antivirus software by means of surveilling email traffic: see the Intercept article Popular Security Software Came Under Relentless NSA and GCHQ Attacks, 22 June 2015.

Document: ﻿TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

An Eas
Using S
about P

fwmuuuu

IGINT to Learn
iew Viruses

Project CAMBERDADA
ByHH, 1412 (IAD)

V252||

Derived From: NSA/CSSM 1-52
Dated: 20070108
Declassify On: 20370301

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Overall classification

TO PS EC RET//COMI NT//

REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

BRICKTOP (2009)

Tascom RusComNet

Kaspersky

Rosoboron

nstitute of Information

& Telecommunication

Analytical Technology Corporation

Comstar Komet

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

ÁHTkiBnpyc

KacnepcKoro

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Sample Email Received by an

AV Vendor

P WZA20120510218350000197506

Good day,

A phishing scam file is attached for your analysis.

Zip file password = virus

The file tricks the user into giving her/his bank account
credentials. This can be verified by clicking on the Sign In
button.

FYI: https: / / www. vi rustotal. com /file /8f b6447fdc9cfe204cde...

Regards,

Francois Picard
www. NewRoma. net

Attachment: BMOFinancialGroup.zip

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Work Flow

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Analytic value

SSIGINT brings in ~10 potentially malicious
files per day for malware triage

SOver 500 potentially malicious files collected
since 2009

S~ 50 CAMBERDADA signatures deployed to
NIPRnet for alerting

S9 domains mitigated

DNS Interdiction

Ml 9 domains under DNS Interdiction
MICloudshield intercepts the DNS request
Ml Returns the address of a DoD listening post
MIMunged version of the request is sent out
it DNS response is sent to a log